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Abstract 

For a Boolean function /, define Af(a) = Yl x f(x)f(x © a), f(x) = (—l)^ x \ the ab- 
solute indicator Aj = max a ^o |A/(a)|, and the sum- of- squares indicator o~f = J2a 
We construct a class of functions with good local avalanche characteristics, but bad global 
avalanche characteristics, namely we show that 2 2n (l + p) < o~f < 2 3n_2 , Aj = 2 n , where 
p is the number of linear structures (with even Hamming weight) of the first half of an SAC 
balanced Boolean function /. We also derive some bounds for the nonlinearity of such functions. 
It improves upon the results of Son et al. Q and Sung et al. Jt|. In our second result we 
construct a class of highly nonlinear balanced functions with good local and global avalanche 
characteristics. We show that for these functions, 2 2n+2 < cry < 2 2n+2+e (e = for n even 
and e = 1 for n odd). 
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1 Definitions and Preliminaries 

The design and evaluation of cryptographic functions requires the definition of design 
criteria. The Strict Avalanche Criterion (SAC) was introduced by Webster and Tavares 
in a study of these criteria. A Boolean function is said to satisfy the SAC if comple- 
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menting a single bit results in changing the output bit with probability exactly one half. 
In U , Preneel et al. introduced the propagation criterion of degree k (PC of degree k or 
PC(k)), which generalizes the SAC: a function satisfies the PC(k) if by complementing 
at most k bits the output changes with probability exactly one half. Obviously PC(1) 
is equivalent to the SA C property. The PC(k) can be stated in terms of autocorrelation 
function. Let V n = {aj|l <i< 2 11 } be the set of vectors of Z2 in lexicographical order. 
For a function on V n , we say that / satisfies the PC(k) if and only if 

^2f(x)(Bf(x(Bc) = 2 n - 1 , (1) 

for all elements c with Hamming weight (the number of nonzero bits) 1 < wt(c) < k, or 
equivalently, Aj(c) = 0, where 

A /( c )= E />)/>© c ) 

xev„ 

is the autocorrelation function and f(x) = (—l)f( x \ There is also another variation of 
the PC, when one requires to have the above relation for an arbitrary subset of V n , not 
necessarily for all x with 1 < wt(x) < k (see also 0])- 

As many authors observed, the PC is a very important concept in designing crypto- 
graphic primitives used in data encryption algorithms and hash functions. However, the 
PC captures only local properties of the function. In order to improve the global anal- 



ysis of cryptographically strong functions, Zhang and Zheng [11| introduced another 
criterion, which measures the Global Avalanche Characteristics (GAC) of a Boolean 
function. They proposed two indicators related to the GAC: the absolute indicator 

A .f = max I A/ (a) I, 



and the sum- of- squares indicator 

a 

The smaller o~f,Af the better the GAC of a function. Zhang and Zheng obtained 
some bounds on the two indicators: 

2 2n <o f < 2 3 ™,0 < A f < 2 n . 

The upper bound for aj holds if and only if / is afhne and the lower bound holds if 
and only if / is bent (satisfies the PC with respect to all i/O). 

There is an interest in computing bounds of the two indicators for various classes 
of Boolean functions. Recently, Son, Lim, Chee and Sung || proved 

a f > 2 2n + 2 n+3 , (2) 

when / is a balanced Boolean function, and Sung, Chee and Park ^ proved that if / 
also satisfies the PC with respect to A C V n , t = \A\, then 



> < 



2 2n + 2 6( 2 n if < t < 2 n - 2"~ 3 - l,t odd 

2 2n + 2 6( 2 n - t + 2), if < t < 2 n - 2"~ 3 - 1, t even (3) 

2 n -l-t 



1 + on \ ; ) 2 2n , if 2 n - 2 n ~ 3 -l<t<2 r 



The result (^) improves upon (^). Using the above result the authors of |?J have derived 
some new bounds for the nonlinearity of a balanced Boolean function satisfying the PC 
with respect to t vectors. We will improve their results significantly. 
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We need the following 
Definition 1. 

1. We call a the i-th basis vector of V n . 

2. An affine function is a Boolean function of the form f(x) = ffi" =1 CjXj © c. / is called 
linear if c = 0. 

3. The truth table of f is the binary sequence f = (vi,V2, ■ ■ ■ ,^2™), where Vi = f(oti). 

4- The Hamming weight of a binary vector v, denoted by wt(v) is defined as the number 
of ones it contains. The Hamming distance between two functions f,g : V n — > V\, 
denoted by d(f,g) is defined as wt(f © g). f is balanced is wt{f) = 2™ _1 . 

5. The nonlinearity of a function f, denoted by Nr is defined as mmd(f,l), where A n 

ieA n 

is the class of all affine function on V n . 

6. A vector / a G V n is a linear structure of f if f(x) © f(x © a) is constant for all x. 

7. If X,Y are two strings of the same length, (X\Y) means that X and Y occupy the 
same positions in the first and the second half of some function. 

8. Define the set of 4-bit blocks T = {A = 0, 0, 1, 1; A = 1, 1, 0,0; B = 0, 1, 0,1; B = 
1,0,1,0; (7 = 0,1,1,0; C = 1, 0,0,1; L> = 0,0,0,0; 5 = 1,1,1,1}. 

9. If some bits of an affine function I agree with the the corresponding bits in a function 
f , we say that I cancels those bits in f . 

10. If u is a given string and g is a Boolean function, we use u 9 = the string of bits in 
g which occupy the same positions as the bits in the string u. 
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11. If a Boolean string is a concatenation of either A/ A or B/B or C/C or D/D we 
say that it is based on A or B or C or D. 

12. By MSB(-) we denote the most significant bit of the enclosed argument. 

2 The First Result 

In this section the function / will denote a balanced Boolean function which satisfies the 
SA C. We will consider SA C functions constructed using some ideas of [l0| (see also jy] 
for another version of the construction). Define 1 • x = x ii if sc = ■ ■ ■ ,%n—l)- 
Let g : V n -\ — > V\ denote the Boolean function 1 • x © 6, b £ Vi, which satisfies 
g{x) = g(x © a), for any element a of odd Hamming weight. For a vector v £ V n , we 
denote by v' £ V n -\ the n — 1 least significant bits in v. In g 0, H or @ it is proved 
that functions of the form 

f = (h \h®g), or f=(h \l®g), (4) 

are SAC functions, where h is an arbitrary function on V n -i and l(x) = h(x © a), 
wt{a) = odd. Let x be the complement of x. 

Proposition 2. The functions (Qj 

x n h{xi, . . . ,x n -i) © x n (h(xi, . . . ,x n -i) ©"J, 1 Xi © b) or 

X n h(x\, . . . , ^Cra— l) © X n (h(x\, . . . , Xk, ■ ■ ■ > ^n-l) ®^=i © ^) > 
('an odd number of input bits xj~ are complemented), for an arbitrary Boolean function 

h defined on V n -\ and b G V\. 

Proof. Straightforward using the definition of g and concatenation. □ 
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First, we consider the case of balanced Boolean functions / denned on V n ,n > 3 



nonzero linear structures of h with even Hamming weight. We take a to be an element 
of odd Hamming weight. In our next theorem we compute the indicators for a class of 
functions satisfying the SAC. We remark that the global characteristics are not good 
for these functions although the local ones are (the functions are SAC). 

Theorem 3. If f is a balanced Boolean function of the form f = (h\l@g), l(x) = h(x) 
or l{x) = h(x © a), h an arbitrary Boolean function with C^ en > 1 and g as before, we 
have 



of the form (|j) such that h has linear structures. We denote by C e ^ en the number of 



2 2n (l + C e h ven ) <o- f <2 



,3n-2 



(5) 



Proof. Zhang and Zheng |T^] proved that for functions satisfying the SAC, the non- 



linearity satisfies 



N f > 2 



,n-2 



(6) 



In H the following inequality is obtained: 




(7) 



Using (^) and (^) we obtain easily the right inequality of (|5|), that is 



a f <2 



,3n-2 



From the proof of Lemma 1 of Jjj we get that a / satisfies 



X 



X 



X 



where b x = \ f(y)f(y © x). Using the trivial identity ab = |(a + b — a © b) and 
the fact that / is balanced, we get b x = \J2 y (f(v) + f(v © x ) ~ fiil) © f(v © x )) = 
2n-2 _ i ^ / (y) © /(y © x). We note that / satisfies the PC with respect to x if and 
only if b x = 2 n ~ 3 . Since / is balanced, Eccfe ~ 2 ™~ 3 ) = °- Jt follows that 

a / = 2 2ri + 2 6 (b x -2 n - 3 ) 2 . 



wt(x)>2 

t{x)l 



We want to evaluate Y^wt(x)>2Q ) x — 2™ 3 ) 2 . In order to do that we have to compute 



yeV„ 



Case 1: MSB(x) = 0. 
In this case 



2 n-l 

yeV„ i=l 

2 n-l 

•) © © x') © 5 K) © g(v\ © x'). 



(8) 



i=l 

Case 1.1: wt(x') = even. 

In this case, since g satisfies g{x) = g{x®a) for any element with odd Hamming weight, 
it follows that g{v[ © x') = g(v'j). Therefore, the equation (||) becomes 



S x = 2^h{v'- l )®h{v' l ®x'). 



i=i 



When x' is a linear structure of h, S x = 2 n c, where c = h(0) © /i(0 © x'). 

Case 1.2: wt(x') = odd. 

Then g(w ■ © x') = g(i^) and (g) becomes 

2?i— l 2 n— ^ 

S x = h (v'i) © © x') + h ( v i) © h ( v 'i © x') © 1 = 2™- 1 . 
i=l i=l 



Case 2: MSB(x) = 1. 

In this case, S x can be evaluated as follows: 

2^1— 1 QTl—l 

s x =Y, Kv'i) © h(v'i © x') © «K ex')+Yl h ( v i) © M<4 © x ') © 
i=l 1=1 

Case 2.1: wt(x') = even. 
Since g(i^) = © x'), we get 

2 n-l 

^ = 2 ^ /i(^) © ft(t^ © x') © giv'i). 
i=i 

Case 2.2: wt(x') = odd. 

Since © x') = p(^), we get 

2 n— i 2 n ~^~ 

s x = y^ Kv'd © © »') + Yl h ^ © ^ © x ') © 1 = 

1=1 1=1 
From the above analysis we deduce that: 
Case 1.1: 6^ = 2 n ~ 2 — 2~ 2 S X , and if x' is a linear structure for h, b x = 2 n ~ 2 or b x = 0. 
Case 1.2: b x = 2 n ~ 3 . 

Case 2.1: b x = 2 n ~ 2 — 2~ 2 S X , and if x' is a linear structure for h, b x = 2 n ~ 3 . 
Case 2.2: b x = 2 n ~ 3 . 

We observe that the only cases where we do not know precisely b x are when x is an 
element of odd Hamming weight with x' not a linear structure for h. 
We deduce that in the case 1.1 with x' a linear structure for h, 



b x -2 



n-3\2 _ 9 2(n-3) 



Now, returning to the computation of <jf, with the new results we get 
a f =2 2n + 2 6 (P* ~ 2 "~ 3 ) 2 ^ 

wt(x)>2 

2^71 _|_ 2^2^^ n ~ 3) £even H _|_ jpeven^ 



□ 



With the same data as in the previous theorem we obtain 
Corollary 4. For n > 3, A f = 2 n . 

Proof. The corollary follows from the proof of the theorem. For a Boolean balanced 
function, Af (x) = 2 3 b x — 2 n . Therefore for any x, such that x' is a linear structure of h 
of even Hamming weight, we have b x = or 2". Thus Af = max xg y n |Aj(x)| = 2 n . □ 

The previous corollary can also be deduced from Lemma 7 of |HJ], observing that if 
x' is a linear structure of h with even Hamming weight, then (0, x') is a linear structure 
for /. 

The following is an easy consequence of the previous theorem. It shows that the 
theorem gives tight bounds. 

Corollary 5. For a balanced Boolean SAC function f given by ([|), where h is affine 
we have the following equation 



f = 



Proof. This follows from the fact that any nonzero element of V n is a linear structure 
for an affine function. □ 
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Now we turn our attention to the nonlinearity of such functions. Using 

Nf < 2 n ~ l - 2- n / 2 ~ 1 ^aJ, 
and &f > 2 2n (l + Cf^ en ), we get the corollary 

Corollary 6. Let f be as in the Theorem Then, the nonlinearity satisfies 

2"" 2 < Nf < T- x - 2 n ' 2 - Vl + £ e h ven - (9) 

// / satisfies the conditions of Corollary then we have 

N f = 2 n - 2 . (10) 

Since 2 n + 2 n / 2+3 + 2 4 < 2 n (1 + C e ^ en ) , if £^ en > 1, it follows that the bounds (g) 
or ([!(]) are better than the result of Zhang and Zheng, who proved in [^] that 



N f < 2 11 ' 1 - -V2« + 2™/ 2 + 3 + 2 4 , if n is even. 
Sung et al. @ obtained the following upper bound for the nonlinearity 



TV/ < 2 n - x - 2" + 2 6 - ^ ^ n ^ 26 , if n > 2 is odd and 

1 / in — 1)2 6 

JV- < - -W2 n + 2 6 - ^ , if n is even, 

/ - 2 V 2™ 

which is certainly weaker than the bound we have obtained. 

3 Highly nonlinear balanced SAC functions with good 
GAC 



In the previous section we constructed a class of balanced functions with good local 
avalanche characteristics, but bad global avalanche characteristics. In this section we 
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will use some results from Q to construct balanced Boolean SAC functions of nonlin- 
earity at least 2 n - 2t( n+1 )/ 2 l, with good GAC. 

From a result we like to call Folklore Lemma (see we know that for any affine 
function I, if L is the first string of length 2 s in Z, then the next string of the same 
length will be L or L. A consequence of this fact is that any affine function is made up 
as a concatenation of blocks A/ A or B/B or C/C or D/D. 

Our next theorem was proven initially in a more general form. However, its proof 
relied heavily on results available only in 0, so we decided to provide here a complete 
proof for a slightly restricted subclass. Moreover, for this subclass we can provide 
better results, especially for even dimensions, which makes it all worthwhile. For the 
purpose of easy computation, we define a transformation 0{g) ("opposite") which maps 
an affine function based on M E T, into an affine function based on the same block 
M, having the self-invertible property O (O(g)) = g. If g = X\X 2 . . . X 2 n-2, then 
O(g) = Y{Y 2 ■ ■ ■ Y 2 n-2 is constructed by the following Algorithm, supported by the 
Folklore Lemma: 
Step 1. Y 1 =X 1 . 

Step i + 2. For any < i < n — 3, if X 2 i + \ ■ ■ ■ X 2 i+i = X\ . . . X 2 i , then Y 2 i +1 . . . Y 2 i+i = 
Y\ . . . Y 2 i . If X 2i+1 . . . X 2 i+i =X 1 ...X 2 i, then Y 2l+1 . . . Y 21+ i =Y 1 ...Y 2 i. 

Remark 7. The results will not change if we take the first block Y\ = X\ . 

By induction we can easily prove 

Lemma 8. 0{g) = 0(g). 
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The following theorem is a construction for balanced functions of high nonlinearity 
with very good local and global avalanche characteristics. Let [x] (the floor function) 
to be the largest integer less than or equal to x. For easy writing we let hi = 0(gi). 

Theorem 9. For n = 2k > 8 (or n = 2k + 1 > 9) let f to be the function obtained by 
concatenating 2 fc_1 segments Ti. For each 1 < i < 2 k ~ 2 , Ti is of the form 

{gihigihi\hi9ihigi) (11) 

and the segment T i+2 k-2 is of the form 

(higihigilmhimhi), (12) 

respectively, where the functions gi are afflne functions on V^~ 2 (or V^ 1 ). Further- 
more, we impose the following conditions: 

(i) Exactly a quarter of the functions gi are based on each of the A-bit blocks A, B, C, D. 

(ii) For any 1 < i / j < 2 k ~ 2 , the functions gi © gj are balanced. 

Then the function f is balanced, satisfies the SAC, has the nonlinearity Nf > 2 n ~ 1 — 
2t _ 5 _ ] and the sum- of- squares indicator satisfies 

where e = 0,1 if n is even, respectively, odd. 

Proof. We will prove the theorem for the case of n even, that is n = 2k, pointing 
out, whenever necessary, the differences for the case of odd n. The function / can be 
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written as 

\Qih\g\h\ ■ ■ ■ (?2 fc - 2 ^2 k ~ 2 92 k ~ 2 ^-2 fc ~ 2 ^igxhigx • • • h 2 k-2(j 2 k-2h 2 k-2g 2 k-2 

(13) 

higihigi • • • h 2 k-2g 2 k-2h 2 k-2g 2 k-2 9ihi9ihi • • • g 2 k -2h 2 k-2g 2 k-2h 2 k-2) . 
The fact that / is balanced can be seen by pairing the functions g with g and h with 

h in the two segments Tj and T i+2 k-2. To show that / satisfies the SAC we use some 

results of Cusick and Stanica, that is Lemma 1 or relation (8) of [Q], which says that a 

function / = (vi, . . . , t> 2 ™) = X\ ■ ■ ■ X 2 n-2 satisfies the SAC if and only if 

(wiW 2 i~i + i + W2W2i-l + 2 + ' ' ' + W2i-iW 2 i) + 

(w 2 i + iW 2 i + 2i-i+l H h ■w 2 i +2»- 1 ' w 2 i + 1 ) H H (14) 

(w 2 n_2i + lW 2 n_2 i - 1 +l + • • • + W 2 n_2 i - lW 2 n ) = 0, 

for each i = 1,2,... , n, where Wi = (—l) Vi , or equivalently (if i > 3), 

(X x X 2 i- 3+1 H h X 2 i-s Xji- 2 ) H = 0, (15) 

for each i = 3, 4, . . . , re, where M iV is equal to the number of 0's minus the number 
of l's in M © N If we associate the 4-bit blocks {A, A} <^ {B,B} and {(7,(7} ^> 
{.D, 5}, we see that, for i < 2, the relation (|l~4|) holds. Obviously, if M© is balanced, 
then M Q N = 0. Thus, in the sum ([15]) the sum in each parenthesis is zero, except 
perhaps the ones based entirely on D, D (which are the only unbalanced 4-bit blocks in 
T). However, those terms will have an antidote in another parenthesis. For instance, 
since D D = —D D = 4, D D will have the antidote D D, according to the 
form of our functions. 

In order to compute the nonlinearity of / we have counted the bits at which our 
function differ from any linear or affine function. Intuitively, we need to prove that 
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on average an affine function cannot cancel to many blocks in a segment. Precisely, 
we show that given any two segments Ui,U2 in the same half of /, based on the same 
block MET, then wt(UiU 2 © U[U l 2 ) > 2 k ' 1 + 2 k , for any affine function I based on the 
same block M. This is shown easily using the folklore lemma, and observing that on 
the positions of U1U2, I can have only the following forms: (LLLLLLLL\LLLLLLLL), 
(LLLLLLLL\LLLLLLLL) , (LLLLLLLL\LLLLLLLL) , etc. Since all cases are treated 
similarly, we may assume that {U[U l 2 ) = (LLLLLLLL\LLLLLLLL) (recall the defini- 
tion of U l ). Without loss of generality we may assume that Ui, U 2 are in the first half 
of / and Ui = (fi^iSiMIMi^iS'i), U 2 = {g 2 h 2 g 2 h 2 )\h 2 #2^2 92)- Thus 

wt(UiU 2 © U[U 2 ) = 2wt(gi © L) + wt(hi © L) + wt(hi © L) 

+2wt(g 2 © L) + wt(h 2 © L) + wt(h 2 © L) 
+wt(hi © L) + utf Oi © L) + 2u;t(c/i © L) 
+wt(h 2 © L) + U7t(/i 2 © L) + 2wt(g 2 © L) 

= 4wt(gi © L) + 4tot(52 © i) + 2 fc 

> 4^(<7 1 ffi 52 ) + 2 fe = 2 fc - 1 + 2 A; . 

Here we used wt(a © c) + wt(b © c) > tot (a © 6), the fact that g. L © gj is balanced and 
ift(a © b) + wt(a © b) = 2 k ~ 2 , if a, b, c G V fc „ 2 - Next, we compute wt(f © /). One 
may assume that / is based on A. From the part of / that does not contain A, A we 
get 3 • 2 2k ~ 3 = 2 2k ~ 1 — 2 2fe ~ 3 units for the weight (we recall that only a quarter of all 
blocks contain A, A). We consider now the part of / based on A. Using the previous 
result, we deduce that in the worst case (minimum weight), I cancels completely at 
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most four functions from each half, and from the rest of the part of / based on A, 
half of the blocks are cancelled. Since there are 2 k functions based on A and we 
cancel 8 functions, we gather that there remain 2 k — 8 functions uncancelled. Since 
each uncancelled function contributes 2 fc ~ 3 units to the weight (recall that if two affine 
functions g, I are not equal or complementary, their sum is balanced), we get 2 2fc_3 — 2 k 
units contributed to the weight by the part based on A, so the nonlinearity is at least 

2 2fc-l _ 2 2fc-3 + 2 2k-3 _ 2 k = 2 2k-l _ 2 k_ j n the odd case we get Nf > 2 2k-l _ 2 k+l ( the 

lengths of the affine functions gi , hi double, while the number of segments remains the 
same), by a similar argument. 

Now, since Nf < 2 ra_1 — 2~t _1 ^aj and from the above analysis Nf > 2 n ~ 1 — 2^^^ 
we get 

2 --i-2[^]<2"- 1 -2-f- 1 ya7, 

which will produce our right hand side inequality 

a f < 2 2n+2 , if n is even, and 07 < 2 2n+3 , if n is odd. 

In order to evaluate S x for suitably chosen x we apply the same technique as in the 
proof of Theorem ||. For x = e« © < j, let 

Sx = Yl f(v) © f(y® x ) = Y1 f( Vs "> © f( Vs © ei © e i) = 

y£V n s=l 

2[/(«i) e /(«2j-i+2*-i+i) + • • • + /(«2<-0 © /K-1+2O + (16) 

/(« 2 *-l+l) © /(^-i+l) H 1" /fe- 1 +2 1 - 1 ) © /( u 2J- 1 +2'- 1 )] H • 



Using the form of our functions and taking x — &n— i © &m we get 



Se n - l( $e n =2j2(9i®gi + h i ®h i + g i ®g i + h i ® hi) = 2 n 

9i,hi 

Thus, (b en _ l(Ben - 2«- 3 ) 2 = 2 2 "- 6 . 

Now, we take x = ei © ej © e r , i < j < r. Thus, we get 
^ = ^/(y)ffi/(yffix) = 

f( V *) © /(^ © e i © e i © = 

s=l 

2[/(^i) e /(w 2r -i +2J -i +2I -i +1 ) h h 

f(v 2 i-l) © ,/ (f 2 >-l+2J-i+2*) + 
/(V 2 i-1 +1 ) © /(V 2 r-1 +2J -1 +1 ) + • • • + 
f(v 2 i-l +2 i-l) © /(■W 2 r-i + 2J-i+2»-l)] H • 

Now, taking x = © © e n and n = 2/c, we obtain 



S, 



efc- 



(/(fl) © f{v 2 n-l +2 k-l +2 k-2 +1 ) H 1- 

f{v 2 k-2) © /(v 2 „-l +2 fe)) + 
(/(-y 2 fc-2 +1 ) © f(v 2 n-l +2 k-l +1 ) +■■■ + 
f(v 2 k-2 +2 k-2) © f(v 2 n-l +2 k-l +2 k-2)) + 
(/(f 2 fc-l +1 ) © /(-y 2 n-l +2 fc-2 +1 ) + • • • + 
f(v 2 k-l +2 k-2) © /(-U 2 n-l +2 fc-l)) + 
{f(v 2 k-l +2 k-2 + 1 ) © /(« 2 n-l +1 ) + • • • + 
/(W 2 fc) © f(v 2n -l +2 k- 2 )) + 
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for any function /. In particular, for the functions in our class, we get 

2 k-2 



S ek _ l(Bek(Ben = 2 ^2(g s ® g s + K © h s + g s ® g s + h s © h s ) 

s=l 

2 k-2 

+ 2^{h s ®h s +g s @g s + h s ®h s + g s @g s ) = 0. 



s=l 

Similarly, 5' efc _ ieefceen _ 1 = 2 n . Thus, &ejfe_iffie*0e„ = 2™~ 2 and be^ee*.©^-! = 0. 

In any of the three cases x = e n -\ © e« 5 £k-i © © e n _i, e^-i © © e n , we have 
(6 B - 2 n " 3 ) 2 = 2 2n " 6 . Thus, 

2n i q6q2ti- 6 i r)6r)2ri— 6 i r)6n2n— 6 r)2n+2 



CT/ > 2 zn + 2°2 zn - D + 2°2 Z?1 - D + 2 D 2^ n ~ D = 2^ 



□ 



Corollary 10. For f given by Theorem ^ we have Aj = 2 n . 
Proof. We know that A f (x) = 2 3 b x - 2 n . Therefore, 

A/(e fc _i © e k © e n ) = 2 3 • 2 n ~ 2 -2 n = 2 n , 
and the result follows. □ 

Corollary 11. If n is even and f is given as in Theorem |, then a f = 2 2n+2 , N f = 
2«-i — 2"2 ; and f is PC with respect to all but four vectors. Moreover, the three nonzero 
vectors, which do not satisfy the propagation criterion, are linear structures for f. 

Proof. We proved that, if n is even, then c/ = 2 2n+2 . If there is an x not equal 
to the four displayed vectors in the proof of Theorem pi for which / is not PC, then 
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b x 7^ 2" 3 . If so, then by the same argument we would get <jf > 2 2n+2 , which is not 



true. So / is PC with respect to all but four vectors. In [13|, Zhang and Zheng proved 
that, if a function satisfies the PC with respect to all but four vectors, then n must 
be even, the nonzero vectors, where the propagation criterion is not satisfied, must be 
linear structures and Nf = 2 n_1 — 2 n / 2 . We have the result. □ 

As we can see the bounds are extremely good, not too far from that of bent functions, 
improving upon any known ones. We suspect we can modify the construction to improve 
the nonlinearity for the odd dimension as well, and we will pursue this idea elsewhere. 

Remark 12. If the conditions imposed in Theorem || hold for gi, they certainly hold 
for hi = O(gi) as well. 

4 Examples and Further Research 

An example of a function satisfying the conditions of Theorem |9| with hi = O(gi), for 
n = 8 is 

aaaabbbbccccddddaaaAbbbbccccdddd 
AaaabbbbccccddddAAAabbbbccccdddd, 

which is balanced, SAC (actually, it is PC with respect to all but 0, e-j © eg, e^ © e^ © 
eg, e3©e4©e7), has nonlinearity 112 and the sum-of-squares indicator attains the upper 
bound, o~f = 262, 144 = 2 2 ' 8+2 . The algebraic normal form is x± + x-j + x\x^ + x\x§ + 

X 2 X 5 + X 2 Xq + X 3 Xg + £4X7 + X4XS + X 5 Xq. 

We can define the transformation O using the same algorithm starting with the first 
bit, rather than the first block, so 0{A) = B, 0(C) = D, etc., obtaining a result similar 
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to our Theorem |[ It seems that the algebraic degree increases for that class, but we 
were not able to prove that in its full generality. An example of a function constructed 
using this idea, for n = 8, is 

ababbabacdcddcdcbabaababcdcddcdc 
babaAbabdcdccdcdAbAbbAbadcdccdcd. 

It turns out that the above function is balanced, has nonlinearity precisely 112, it is 
SAC (in fact, it is PC with respect to 252 vectors), the sum-of-squares indicator attains 
the upper bound, aj = 262, 144 = 2 2 ' 8+2 . The algebraic normal form is x\ + x 7 + xix^ + 
XxXq + X\X 7 + XiX 8 + X 2 X 5 + X 2 Xq + x 2 x 7 + x 2 x$ + x 3 x 8 + x 4 x 7 + x 4 x 8 + x 5 x e + x e x 7 + 
X e X$ + 2:2^3^7 + ^22^3^8- 

Another venue of further research would be the construction of a class of functions 
with these good local and global avalanche characteristics and high nonlinearity, using 
blocks in the complementary set of T, namely T' = {U = 1, 0, 0,0; U = 0, 1, 1,1; V = 
0,0,0,1; V = 1,1, 1,0; J? = 0,1,0,0; X = 1,0,1,1; Y = 0,0,1,0; Y = 1,1,0,1}. 
Our experiments showed that this approach seems to increase the algebraic degree of 
the functions involved, but we were not able to find and control all the mentioned 
cryptographic parameters, yet. 

Acknowledgements. The author would like to thank the anonymous referees for 
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